Only half of one of the security holes previously identified on the government's health care site has been patched, while new ones have since been uncovered, says the head of a security consulting firm.